With the implications for losing a laptop computer to theft growing every day, companies must be prepared to respond to the theft of these machines and put strategies in place to protect both their sensitive information and their corporate images.
Before the end of the current session, the U.S. House of Representatives is expected to vote on the passage of the Financial Data Protection Act of 2005, which aims for more stringent reporting requirements for businesses that lose or mishandle sensitive customer data.
Much as similar laws passed by individual states have pushed the problem into the spotlight, the bill, if passed, is likely to force companies to be even more open about their technology-related missteps.
As a result of such legislative efforts, and the landslide of publicity from high-profile security breaches among the nations largest businesses and government agencies, business executives are increasingly aware of the threat posed by stolen or misplaced laptops, and the scrutiny they will face from customers, partners and regulators when data stored on missing devices has not been appropriately protected.
The recent theft of a laptop owned by the U.S. Department of Veterans Affairs that held the personal information of an estimated 26.5 million people is widely considered the nightmare scenario for those responsible for managing their companies IT security operations.
“Nobody wants to be on the 6 oclock news, and the reality is that we do lose equipment every year,” said Bill Jenkins, director of IT for Unicco, a provider of facility management services in Newton, Mass.
“And no matter how hard you try to educate your users, some people will always do stupid things and walk around with data they shouldnt, even when youve told them not to do so.”
To help protect his company if laptops go missing, Jenkins said Unicco has employed a multilayered defense approach that requires data encryption tools on every device and stresses education about improving users equipment and information-handling habits.
Experts agree that creating such a plan and employing multiple endpoint security tools is the best way to help prepare for eventual incidents.
According to a report issued by the FBI, roughly one in 10 laptops will eventually be lost or stolen.
At IT services giant Computer Sciences, the issue of stolen or misplaced equipment is a substantial because of the firms need to protect the interests of its high-profile customers, and the logistics of managing its 79,000 strong employee work force.
Michael Rider, chief information security officer for CSC, in El Segundo, Calif., said the company is rapidly increasing its focus on protecting data stored on mobile devices both internally and for its customers.
Beyond applying encryption applications to all laptops and other mobile devices, he said that building and enforcing aggressive security policies is the most effective way to improve a companys standing.
“Encryption is a great protection method, but its only a technology and businesses need to put people and process to work to address the problem or those tools wont suffice,” Rider said.
“If you havent got the right process in place to recover data in case of an incident, you could still lose information, because encryption is only as good as the end users ability to use it and understand why they need to do so.”
Encryption Is Only Part
of the Solution”>
As part of that plan, companies should employ data forensics technology and other forms of investigation that will help them determine what information was stored on a particular device and how to find out whether or not the information has been compromised.
While its unlikely that the missing laptop will be recovered, as it was in the VAs case, knowing exactly what data may have been exposed on each specific machine before it goes missing will give companies a starting point for launching their security efforts.
Internally, CSC has created a security incident control center that serves as a clearinghouse for any IT mishaps.
In maintaining a round-the-clock point of contact for workers when something goes wrong, the firm can respond to incidents and mitigate risks much faster, Rider said.
The amount of time needed to begin reacting to a laptop theft is one of the most important factors in minimizing the impact of such a situation, Rider added.
Another step that businesses must take to respond to stolen laptops is to organize a team of specialists who can help determine how serious the implications of the event may be, and what requirements their firms may face in reporting incidents publicly.
CSC advises its customers to craft a panel of technology specialists, human resources officials and legal counsel to try to get those facts straight and determine whatever regulations must be adhered to.
Executives at Pointsec Mobile Technologies, which markets endpoint device encryption applications, said enterprises must start with an internal policy that dictates how sensitive every piece of information is and how that specific data and the device it resides on must be protected.
“A big part of this is making sure that the user base and the entire IT department know what they need to do to protect the information,” said Bob Egner, vice president of product management for the Lisle, Ill., firm.
“If you dont engage in this type of planning before you implement security technologies, you may find that your needs arent met by a lot of the products that are out there.”
Pointsec recommends that its customers review all of the various device images they maintain, and the configurations of every type of machine to determine what encryption tools fit each computer model best.
Companies should also look at their administrative and help desk systems to make sure computers are being updated properly, and that users have access to expertise to help them mitigate risks after a machine has gone missing.
Even when applying encryption software to their laptops, companies must plan strategically to best secure their data, said Chris Parkerson, senior product marketing manager at RSA Securitys Data Security Division, in Bedford, Mass.
Throwing a blanket encryption policy over your entire enterprise wont solve problems as effectively as examining the types of data that could be affected by a laptop theft, he said.
“CIOs cant just go out in a panic mode and start encrypting everything; its smarter to be tactical and look at where exactly the data lives, what type of device its on, and then it becomes a more understandable risk management problem,” said Parkerson.
“It obviously wont help at all if you dont encrypt the right content,” he added. “Traditionally, people have looked at securing systems, but now people are looking at where the data resides, and thats the right idea.”